Parasoft C/C++ Testing Starter Kit "C/C++ Error-Detection Techniques" White Paper Inomed Case Study NEC Case Study Bovie Case Study Parasoft C/C++Test Data Sheet
Total Page:16
File Type:pdf, Size:1020Kb
Parasoft C/C++ Testing Starter Kit "C/C++ Error-Detection Techniques" White Paper Inomed Case Study NEC Case Study Bovie Case Study Parasoft C/C++test Data Sheet Integrated Error-Detection Techniques: Find More Bugs in Embedded C Software Software verification techniques such as pattern-based static code analysis, runtime memory monitoring, unit testing, and flow analysis are all valuable techniques for finding bugs in embedded C software. On its own, each technique can help you find specific types of errors. However, if you restrict yourself to applying just one or some of these techniques in isolation, you risk having bugs that slip through the cracks. A safer, more effective strategy is to use all of these complementary techniques in concert. This establishes a bulletproof framework that helps you find bugs which are likely to evade specific techniques. It also creates an environment that helps you find functional problems, which can be the most critical and difficult to detect. This paper will explain how automated techniques such as pattern-based static code analysis, runtime memory monitoring, unit testing, and flow analysis can be used together to find bugs in an embedded C application. These techniques will be demonstrated using Parasoft C++test, an integrated solution for automating a broad range of best practices proven to improve software development team productivity and software quality. As you read this paper—and whenever you think about finding bugs—it’s important to keep sight of the big picture. Automatically detecting bugs such as memory corruption and deadlocks is undoubtedly a vital activity for any development team. However, the most deadly bugs are functional errors, which often cannot be found automatically. We’ll briefly discuss techniques for finding these bugs at the conclusion of this paper. Introducing the Scenario To provide a concrete example, we will introduce and demonstrate the recommended bug-finding strategies in the context of a scenario that we recently encountered: a simple sensor application that runs on an ARM board. Assume that so far, we have created an application and uploaded it to the board. When we tried to run it, we did not see an expected output on the LCD screen. It’s not working, but we’re not sure why. We can try to debug it, but debugging on the target board is time- consuming and tedious. We would need to manually analyze the debugger results and try to determine the real problems on our own. Or, we might apply certain tools or techniques proven to pinpoint errors automatically. At this point, we can start crossing our fingers as we try to debug the application with the debugger. Or, we can try to apply an automated testing strategy in order to peel errors out of the code. If it’s still not working after we try the automated techniques, we can then go to the debugger as a last resort. Page 1 Pattern-Based Static Code Analysis Let’s assume that we don’t want to take the debugging route unless it’s absolutely necessary, so we start by running pattern-based static code analysis. It finds one problem: This is a violation of a MISRA rule that says that there is something suspicious with this assignment operator. Indeed, our intention was not to use an assignment operator, but rather a comparison operator. So, we fix this problem and rerun the program. There is improvement: some output is displayed on the LCD. However, the application crashes with an access violation. Again, we have a choice to make. We could try to use the debugger, or we can continue applying automated error detection techniques. Since we know from experience that automated error detection is very effective at finding memory corruptions such as the one we seem to be experiencing, we decide to try runtime memory monitoring. Page 2 Runtime Memory Monitoring of the Complete Application To perform runtime memory monitoring, we have C++test instrument the application. This instrumentation is so lightweight that it is suitable for running on the target board. After uploading and running the instrumented application, then downloading results, the following error is reported: This indicates reading an array out of range at line 48. Obviously, the msgIndex variable must have had a value that was outside the bounds of the array. If we go up the stack trace, we see that we came here with this print message with a value that was out of range (because we put an improper condition for it before calling function printMessage() ). We can fix this by taking away unnecessary conditions (value <= 20). void handleSensorValue(int value) { initialize(); int index = -1; if (value >= 0 && value <= 10) { index = VALUE_LOW; } else if ((value > 10) && (value <= 20)) { index = VALUE_HIGH; } printMessage(index, value); } Page 3 Now, when we rerun the application, no more memory errors are reported. After the application is uploaded to the board, it seems to work as expected. However, we are still a bit worried. We just found one instance of a memory overwrite in the code paths that we exercised…but how can we rest assured that there are no more memory overwrites in the code that we did not exercise? If we look at the coverage analysis, we see that one of the functions, reportSensorFailure(), has not been exercised at all. We need to test this function…but how? One way is to create a unit test that will call this function. Unit Testing with Runtime Memory Monitoring We create a test case skeleton using C++test’s test case wizard, then we fill in some test code. Then, we run this test case—exercising just this one previously-untested function—with runtime memory monitoring enabled. With C++test, this entire operation takes just seconds. The results show that the function is now covered, but new errors are reported: Our test case uncovered more memory-related errors. We have a clear problem with memory initialization (null pointers) when our failure handler is being called. Further analysis leads us to realize that in reportSensorValue() we mixed an order of calls. finalize() is being called before printMessage() is called, but finalize() actually frees memory used by printMessage(). Page 4 void finalize() { if (messages) { free(messages[0]); free(messages[1]); free(messages[2]); } free(messages); } We fix this order, then rerun the test case one more time. That resolves one of the errors reported. Now, let’s look at the second problem reported: AccessViolationException in the print message. This occurs because these table messages are not initialized. To resolve this, we call the initialize() function before printing the message. The repaired function looks as follows: void reportSensorFailure() { initialize(); printMessage(ERROR, 0); finalize(); } When we rerun the test, only one task is reported: an unvalidated unit test case, which is not really an error. All we need to do here is verify the outcome in order to convert this test into a regression test. C++test will do this for us automatically by creating an appropriate assertion. Next, we run the entire application again. The coverage analysis shows that almost the entire application was covered, and the results show that no memory error problems occurred. Are we done now? Not quite. Even though we ran the entire application and created unit tests for an uncovered function, there are still some paths that are not covered. We can continue with unit Page 5 test creation, but it would take some time to cover all of the paths in the application. Or, we can try to simulate those paths with flow analysis. Flow Analysis We run flow analysis with C++test’s BugDetective, which tries to simulate different paths through the system and check if there are potential problems in those paths. The following issues are reported: If we look at them, we see that there is a potential path—one that was not covered—where there can be a double free in the finalize() function. The reportSensorValue() function calls finalize(), then the finalize() calls free(). Also, finalize() is called again in the mainLoop(). We could fix this by making finalize() more intelligent, as shown below: void finalize() { if (messages) { free(messages[0]); free(messages[1]); free(messages[2]); free(messages); messages = 0; } } Now, let’s run flow analysis one more time. Only two problems are reported: Page 6 We might be accessing a table with the index -1 here. This is because the integral index is set initially to -1 and there is a possible path through the if statement that does not set this integral to the correct value before calling printMessage(). Runtime analysis did not lead to such a path, and it might be that such path would never be taken in real life. That is the major weakness of static flow analysis in comparison with actual runtime memory monitoring: flow analysis shows potential paths, not necessarily paths that will be taken during actual application execution. Since it’s better to be safe than sorry, we fix this potential error easily by removing the unnecessary condition (value >= 0). void handleSensorValue(int value) { initialize(); int index = -1; if (value <= 10) { index = VALUE_LOW; } else { index = VALUE_HIGH; } printMessage(index, value); } In a similar way, we fix the final error reported. Now, we rerun the flow analysis, and no more issues are reported. Page 7 Regression Testing To ensure that everything is still working, let’s re-run the entire analysis. First, we run the application with runtime memory monitoring, and everything seems fine. Then, we run unit testing with memory monitoring, and a task is reported: Our unit test detected a change in the behavior of the reportSensorFailure() function.